How about if you disable user reboot and shutdown? Then you could replace the power button with a key switch.
							
						
					Announcement
				
					Collapse
				
			
		
	
		
			
				No announcement yet.
				
			
				
	
Offtopic (split from ...data offline from live CD)
				
					Collapse
				
			
		
	This topic is closed.
				
				
				
				
				X
X
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Tags: None
 - Top
- Bottom
 
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish   - Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
 
 Attack: enter sudo reboot in a console window
 Defense: disallow sudo and su
 
 Attack: Remove and re-insert the power cord
 Defense: Tamper-resistant power cabling (no socket in back of PC, no socket in wall)
 
 Attack: Use Alt+SysRq+R+S+E+I+U+B to reboot the computer without needing to be root
 Defense: Put echo 0 > /proc/sys/kernel/sysrq in /etc/rc.local to disable Magic SysRq keys
 
 and so on
 aanndd ssoo oonn
 aaaannnndddd ssssoooo oooonnnn
 - Top
- Bottom
 
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 Well the first one (sudo) just a good password and not being in the sudo users group would prevent that. Besides, you could block Konsole and re-direct crtl-alt-fX or close the ttys.
 
 I'm going to drag this out until your head explodes...
 
 
   
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish   - Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
 
 Attack: Attach a FireWire device (if the computer has a port) -- unlike USB, FireWire does direct memory access and can take control of the hardware
 Defense: Disable FireWire in firmware settings or blacklist the kernel module
 
 Attack: Press Alt+F2 and enter dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart
 Defense: Disable KRunner, or the ability to (1) run commands and (2) change the KRunner configuration
 
 We could keep going 
 
 The overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.Last edited by SteveRiley; May 31, 2014, 06:22 PM.
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 Preach!Originally posted by SteveRiley View PostThe overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 I will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.
 
 I am no expert but it seems like a simplistic solution to just pop in a CD or USB and boot the machine.
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 If one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.Windows no longer obstruct my view.
 Using Kubuntu Linux since March 23, 2007.
 "It is a capital mistake to theorize before one has data." - Sherlock Holmes
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish   - Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
 
 Yep, that's about the only way to accomplish the goals, but the tradeoff is a severe reduction in utility. No offline work can be done, for example.Originally posted by Snowhog View PostIf one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.
 
 But this alone won't prevent someone from shrinking the partitions on the computer's hard drive and installing an operating system on it.Originally posted by Simon View PostI will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.
 
 There are really only two solutions here:
 1. Remote desktop, as Snowhog writes.
 2. Hardware-based attestation and root-of-trust using a TPM, as I described in post #14.
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 So it boils down to what you said Steve, you need some avenue of trust with your employees. I am glad Frank and I run a relaxed working atmosphere at the clinic. We don't bark at our staff for playing games at work. For example, Cindy is working the front desk and I can see that between patients she is on Facebook or playing a game. I really could care less as long as it relaxes her and she can get her work done. I really don't need a crab ass greeting people at the front. lol
 
 I would never expect anyone to work in an environment that cannot trust each other to do their job. At lunch we usually stay in and order takeout, so a lot of us like to jump on a game. I hit Kongregate or something like that at lunch. BTW I almost forgot. We are running Linux in the office now, Frank and I set all the office PCs up to use it. A few people came in last month and was thinking they would have to relearn. But we have everything set up and no complaints. Best of all, zero downtime so far. However I lost out on installing Kubuntu, Frank convinced me that Debian with the Gnome GUI (I think) is more Windows user friendly to assimilate. But you guys know I am still loyal to my Kubuntu as my employees and coworkers are loyal to me.
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish   - Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
 
 GNOME Shell (in GNOME 3.x) is about as opposite from Windows as you can imagine. Are you sure the DE that Frank picked is that one? The older GNOME 2.x is sort of Windowsish, but it is no longer under maintenance.
 
 TBH, if the goal is to replicate a Windows experience, KDE is the best choice.
 
 Oh, and hello from AA 2411 at 39,000 feet, enroute DFW to SFO! Yes, I'm posting this purely because I can Ain't technology grand? Ain't technology grand?
 
  Last edited by SteveRiley; Jun 06, 2014, 10:27 PM. Last edited by SteveRiley; Jun 06, 2014, 10:27 PM.
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 I can't see you. Open the door and "wave".Windows no longer obstruct my view.
 Using Kubuntu Linux since March 23, 2007.
 "It is a capital mistake to theorize before one has data." - Sherlock Holmes
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish   - Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
 
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 I am getting ready to head for work, but here is the info Frank gave me.
 
 Linux Debian 6.0.9
 Kernel 2.6.32-5-686
 Gnome 2.30.2
 
 Now before you go telling me we could do better, I doubt even one machine in the office has a dual core or more. In fact, I seem to recall the best machine we got donated to us was an Intel 32 2Ghz with 1GB or so of RAM. But it is not like we spent any of our funding on this, the university gave us bonus points for that small feat alone. Frank and I feel this is a victory. It works and that is what really matters eh? Money well not spent.  
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish   - Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
 
 - Top
- Bottom
 Comment
- 
	
	
	
		
	
	
		
		
		
		
		
		
		
	
	
 Forgive me, I'm having an imagination failure. Probably because I wasn't around in the old school daysOriginally posted by Snowhog View PostIf one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports. 
 
 What exactly is a client terminal & monitor? I'd imagined them as really low powered PCs that can SSH to the server, but based on your description that can't be right! What's the physical connection between it and the server?
 - Top
- Bottom
 Comment
Users Viewing This Topic
				
					Collapse
				
			
		
	There are 0 users viewing this topic.




 
							
						
Comment